EnCE Study Questions Chapters 6-10

Card Set Information

Author:
HorneK
ID:
274680
Filename:
EnCE Study Questions Chapters 6-10
Updated:
2014-05-18 18:13:43
Tags:
ENCE
Folders:

Description:
Chapters 6 through 10
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user HorneK on FreezingBlue Flashcards. What would you like to do?


  1. 1. In the EnCase Windows environment, must an examiner first create a new case before adding a device to examine?

    A. Yes
    B. No
    A.  Yes, Your must first create a new case before the Add Device option is available.

    (C6)
  2. 2. When EnCase 7 is used to create a new case, which files are created automatically in the case folder under the folder bearing the name of the case?

    A. Evidence, Export, Temp, and Index folders
    B. Email, Export, Tags, and Temp
    C. Evidence, Email, Tags, and Temp
    D. Export, Temp, and Index folders
    B.  EnCase7 creates Email, Export, Tags and Temp.  The Evidence folder would have to be created manually by the user if the user opted to place it in this location.

    (C6)
    (this multiple choice question has been scrambled)
  3. 3. From the EnCase 7 Home screen, which of the following cannot be carried out?

    A. Opening a case
    B. Creating a new case
    C. Opening options
    D. Generating a encryption key
    E. All of the above
    E.  A, B, C, and D can all be carried out from the  Home screen.

    (C6)
  4. 4. When creating a new case, the Case Options dialog box prompts for which of the following?

    A. Name (case name)
    B. Examiner name
    C. Base case folder path
    D. Primary evidence cache path
    E. All of the above
    E.  The Case Options dialog box asks for all the options listed when a new case is created.

    (C6)
  5. 5. What determines the action that will result when a user double-clicks a file within EnCase?

    A. The settings in the TEXTSTYLES.INI file
    B. The settings in the FILETYPES.INI file
    C. The settings in the FILESIGNATURES.INI file
    D. The settings in the VIEWERS.INI file
    B. The data in the File Types database (stored in the FILETYPES>INI file) determines which file types will be opened by which viewers upon double-clicking or opening the file.

    (C6)
    (this multiple choice question has been scrambled)
  6. 6. In the EnCase environment, the term external viewers is best described as which of the following?

    A. External programs that are associated with EnCase to open specific file types
    B. Internal programs that are copied out of an evidence file
    C. External programs loaded in the evidence file to open specific file types
    D. External viewers used to open a file that has been copied out of an evidence file
    A. External viewers are programs that EnCase uses to open specific file types and are configured by the user.

    (C6)
    (this multiple choice question has been scrambled)
  7. 7. Where is the list of external viewers kept within EnCase?

    A. The settings in the FILETYPES.INI file
    B. The settings in the VIEWERS.INI file
    C. The settings in the TEXTSTYLES.INI file
    D. The settings in the XTERNALVIEWERS.CFG file
    B.  The VIEWERS.INI file stores information external programs that EnCase uses to open specific file types.

    (C6)
    (this multiple choice question has been scrambled)
  8. 8. When EnCase sends a file to an external viewer, to which folder does it send the file?

    A. Temp
    B. Scratch
    C. Export
    D. None of the above
    A.  When EnCase sends a file to an external viewer, the file is placed in the temp folder.

    (C6)
    (this multiple choice question has been scrambled)
  9. 9. How is the Disk view launched?

    A. By simply switching to the Disk view tab on the Table pane
    B. By launching it from the Device menu
    C. By right-clicking the device and choosing Open With Disk Viewer
    D. None of the above
    B.  It is launched as an option from the Device menu.

    (C6)
    (this multiple choice question has been scrambled)
  10. 10. Which of the following is true about the Gallery view?

    A. Files that are determined to be images by their file extension will be displayed.
    B. Files that are determined to be images based on file signature analysis will be displayed after the EnCase evidence processor has been run.
    C. Files displayed in the Gallery view are determined by where you place the focus in the Tree pane or where you activate the Set-Included Folders feature.
    D. All of the above.
    D.  All are true regarding the Gallery view.

    (C6)
  11. 11. True or false? The right-side menu is a collection of the menus and tools found on its toolbar.

    A. True
    B. False
    A.  True - the right-side menu is a collection of the menus and tools found on the toolbar to its left.  It is akin to the content formerly found on the right-click mouse button.

    (C6)
  12. 12. True or false? The results of conditions and filters are seen immediately in the Table pane of the Evidence tab Entries view.

    A. True
    B. False
    B.  False - When a filter or condition is run, The results are shown in the Results view or tab.

    (C6)
  13. 13. How do you access the setting to adjust how often a backup file (.cbak) is saved?

    A. Select View a Options a Case Options.
    B. Select Tools a Options a Case Options.
    C. Select View a Options a Global.
    D. Select Tools a Options a Global.
    D.  To adjust the amount of minutes the backup files is saved, select Tools in the menu bar, select Options, and then change the time in the Auto Save Minutes box on the Global tab of the resulting dialog box.

    (C6)
    (this multiple choice question has been scrambled)
  14. 14. What is the maximum number of columns that can be sorted simultaneously in the Table view tab?

    A. Two
    B. Six
    C. Three
    D. 28 (maximum number of tabs)
    B.  Six,  Encase allows the user to sort up to six columns in the Table view tab.

    (C6)
    (this multiple choice question has been scrambled)
  15. 15. How would a user reverse-sort on a column in the Table view?

    A. Hold down the Ctrl key, and double-click the selected column header.
    B. Right-click the selected column, select Sort, and select either Sort Ascending or Sort
    Descending.
    C. Both A and B.
    C.  The user can use either method to revers-sort on a column.

    (C6)
  16. 16. How can you hide a column in the Table view?

    A. Place the cursor on the selected column, and press Ctrl+H.
    B. Place cursor on the selected column, open Columns menu on the toolbar, and
    select Hide.
    C. Place cursor on the selected column, open the right-side menu, open the Columns
    submenu, and select Hide.
    D. Open the right-side menu, open the Columns submenu, select Show Columns, and
    uncheck the desired fields to be hidden.
    E. All of the above.
    E.  All four methods will hide selected columns from the Table view.

    (C6)
  17. 17. What does the Gallery view tab use to determine graphics files?

    A. File size
    B. File extension
    C. Header or file signature
    D. Filename
    B.  The Gallery view displays images based on the File Category - Picture setting, which is determined by the file extensions until such time that ta file signature analysis is run.

    (C6)
    (this multiple choice question has been scrambled)
  18. 18. Will the EnCase Gallery view display a .jpeg file if its file extension was renamed to .txt?

    A. No, because EnCase will treat it as a text file
    B. Yes, because the Gallery view looks at a file’s header information and not the file
    extension
    C. Yes, but only if a signature analysis is performed to correct the File Category to Picture based on its file header information
    D. Yes, but only after a hash analysis is performed to determine the file’s true identity
    C.  When a signature analysis is performed, EnCase will update or correct the file category to Picture, in this particular case, based on the information contained in the file header.

    (C6)
  19. 19. How would a user change the default colors and text fonts within EnCase?

    A. The user cannot change the default colors and fonts settings.
    B. The user can change the default colors and fonts settings by right-clicking the selected
    items and scrolling down to Change Colors and Fonts.
    C. The user can change the default colors and fonts settings by clicking the View tab on
    the menu bar and selecting the Colors tab or Fonts tab.
    D. The user can change default colors and fonts settings by clicking the Tools
    D.  A user can change the way colors and fonts appear by selecting the Tools tab and the clicking Options to change colors and fonts.

    (C6)
  20. 20. An EnCase user will always know the exact location of the selected data in the evidence file by looking at which of the following?

    A. Dixon box
    B. Navigation Data on status bar
    C. Disk view
    D. Hex view
    B.  Navigation Data (also called the GPS bar in the field) displays the selected data's exact location, including the full path, physical sector, logical sector number, cluster number, sector offset, and file offset.

    (C6)
    (this multiple choice question has been scrambled)
  21. 1. Computers use a numbering system with only two digits, 0 and 1. This system is referred toas which of the following?

    A. Hexadecimal
    B. Binary
    C. ASCII
    B.  Binary is a numbering system consisting of 0 and 1 used by computers to process information.

    (C7)
    (this multiple choice question has been scrambled)
  22. 2. A bit can have a binary value of which of the following?

    A. 0 or 1
    B. 0–9 and A–F
    C. On or Off
    D. 0–9
    A.  Bi refers to two; therefor, a bit can have only two values, 0 or 1.

    (C7)
    (this multiple choice question has been scrambled)
  23. 3. A byte consists of ___ bits.

    A. 8
    B. 4
    C. 2
    D. 16
    A.  A bytes consists of 8 bits or two 4 bit nibbles, commonly referred to as the left nibble or right nibble.

    (C7)
    (this multiple choice question has been scrambled)
  24. 4. If 1 bit can have two unique possibilities, 2 bits can have four unique possibilities, and 3 bits can have eight unique possibilities. This is known as the power of 2. How many unique
    possibilities are there in 8 bits (2^8)?

    A. 256
    B. 16
    C. 64
    D. 128
    A. 2 (to the 8th) is 2 x 2 eight times, or 2x2x2x2x2x2x2x2=256

    (C7)
    (this multiple choice question has been scrambled)
  25. 5. When the letter A is represented as 41h, it is displayed in which of the following?

    A. ASCII
    B. Hexadecimal
    C. Decimal
    D. Binary
    B.  values expressed with the letter "h" as a suffix are hexadecimal characters.  EnCase can display the letter A in text or hexadecimal formats.

    (C7)
    (this multiple choice question has been scrambled)
  26. 6. What is the decimal integer value for the binary code 0000-1001?

    A. 7
    B. 11
    C. 9
    D. 1001
    C.  Starting from the right, the bits are "on" for bit positions 1 and 8, which totals 9.

    (C7)
    (this multiple choice question has been scrambled)
  27. 7. Select all of the following that depict a Dword value.

    A. 0000 0001
    B. 0001
    C. FF 00 10 AF
    D. 0000 0000 0000 0000 0000 0000 0000 0001
    C and D...  A Dword is a 32 bit value.  A is incorrect because it depicts 8 binary bits or one byte.  B is incorrect because it depict 4 binary bits or one nibble.  C is correct because it represents four hexadecimal values with each being 8 bits (4 x 8 = 32 bits).  D is correct because it represents 32 binary bits.

    (C7)
  28. 8. How many characters can be addressed by the 7-bit ASCII character table? 16-bit Unicode?

    A. 128 and 256
    B. 128 and 65,536
    C. 64 and 65,536
    D. 64 and 256
    B.  2 (to the 7th) is 2 x2 seven times = 128, while 2(to the 16th) is 2x2 sixteen times = 65,536.

    (C7)
    (this multiple choice question has been scrambled)
  29. 9. Which of the following are untrue with regard to the EnCase Evidence Processor?

    A. A device must be acquired first before processing or be acquired as a requisite first step within the EnCase Evidence Processor.
    B. A live device can be subjected to normal processing by the EnCase Evidence Processor
    and does not have to be acquired first.
    C. Items marked with red flags denote items that are not applicable to the file system
    being processed.
    D. Items marked with red flags denote items that must be run during the first or initial
    run of the EnCase Evidence Processor and can’t be run in any subsequent run thereafter.
    E. A raw keyword search can be conducted during processing by the EnCase Evidence
    Processor.
    C.  A device must be an image or be acquired first by the EnCase Evidence Processor.  Live devices can be subjected to direct processing by the EnCase Evidence Processor.  Red flags denote items that must be run during the first run of the processor.  If you don't run them then, you can't run them later.  It's now or never, so to speak.


    (C7)
  30. 10. When performing a keyword search in Windows, EnCase searches which of the following?

    A. Both A and B
    B. The physical disk in unallocated clusters and other unused disk areas
    C. The logical files
    D. None of the above
    A.  EnCase performs a search no  only of logical files but of the entire disk to include unallocated clusters and unused disk areas outside the logical partition.

    (C7)
    (this multiple choice question has been scrambled)
  31. 11. By default, search terms are case sensitive.

    A. True
    B. False
    B.  False, By default, the Case Sensitive option is not selected; therefore, search terms are not case sensitive unless  you select that option.

    (C7)
  32. 12. By selecting the Unicode box for a raw search, EnCase searches for both ASCII and Unicode formats.

    A. True
    B. False
    A.  True, by selecting the Unicode box, EnCase will search for both ASCII and Unicode formats.

    (C7)
  33. 13. With regard to a search using EnCase in the Windows environment, can EnCase find a
    word or phrase that is fragmented or spans in noncontiguous clusters?

    A. No, because the letters are located in noncontiguous clusters.
    B. No, EnCase performs a physical search only.
    C. No, unless the File Slack option is deselected in the dialog box before the search.
    D. Yes, EnCase performs both physical and logical searches.
    D.  EnCase can perform both physical searches as well as logical searches for keyword(s) that span noncontiguous clusters.

    (C7)
    (this multiple choice question has been scrambled)
  34. 14. Which of the following would be a raw search hit for the His keyword?

    A. this
    B. His
    C. history
    D. Bill_Chisholm@gmail.
    E. All of the above.
    E. All of the above.  Since the entry allows for characters to precede and follow the keyword and the default setting does not have the the Case Sensitive option enabled, all the selections apply.


    (C7)
  35. 15. Which of the following would be a search hit for the following GREP expression?
    [^a-z]Liz[^a-z]

    A. Elizabeth
    B. Liz1
    C. Lizzy
    D. None of the above
    B.  The GREP symbol ^ means to exclude the following characters.  So, the GReP expression in the question exclude the alpha characters (a through z) before and after the keyword but will find non-alpha characters such as numbers.

    (C7)
    (this multiple choice question has been scrambled)
  36. 16. Which of the following would be a search hit for the following GREP expression?
    [x00-x07]x00x00x00…

    A. 0A 00 00 00 A0 EE F1
    B. 06 00 00 00 A0 EE F1
    C. 00 00 00 01 A0 EE F1
    D. 08 00 00 00 A0 EE F1
    B.  The GREP expression in the question permits a hexadecimal range from 00 through 07 followedd by hexadecimal values 00 00 00 and any other characters.

    (C7)
    (this multiple choice question has been scrambled)
  37. 17. Which of the following would be a search hit for the following index search expression?
    <c>Saddam npre/3 Hussein

    A. saddam alfonso adolph cano hitler hussein
    B. saddam alfonso hussein adolph cano hitler
    C. Saddam Alfonso Adolph Cano Hitler Hussein
    D. Hussein Hitler Cano Adolph Alfonso Saddam
    E. Saddam Alfonso Hussein Adolph Cano Hitler
    F. None of the above
    C.  This index search expression calls first for a case-sensitive search, because of the <c>.  The npre/3 means at least three words apart and Saddam must precede Hussein.  Only A meets this query.

    (C7)
    (this multiple choice question has been scrambled)
  38. 18. Which of the following will not be a search hit for the following GREP expression?
    [^#]123[ -]45[ -]6789[^#]

    A. A123 45-6789
    B. A1234567890
    C. A123-45-6789
    D. A123 45 6789
    B.  The GREP expression [^#] means that it cannot be a number, meaning the first character and last character following the 9 can't be numbers.  Therefore, A will not return as a search hit because the number 0 follows the number 9.

    (C7)
    (this multiple choice question has been scrambled)
  39. 19. A sweep or highlight of a specific range of text is referred to as which of the following?

    A. Highlighted data bookmark
    B. Notable file bookmark
    C. Notes bookmark
    D. Table view bookmark
    E. Single item bookmark
    A.  The highlighted data bookmark is a sweep or highlight of a specific test fragment.

    (C7)
    (this multiple choice question has been scrambled)
  40. 20. Which of the following is not correct regarding EnCase 7 index searches?

    A. Before searching, the index must first be created using the Create Index EnScript.
    B. Before searching, the index must first be created using the EnCase Evidence Processor.
    C. All queries are case insensitive regardless of any switches or settings, because that is
    the nature of all indexed searches.
    D. By default, queries are case insensitive but can be configured to be case sensitive.
    E. A query for any word in the noise file will not return any items as all words in the noise
    file are ignored and excluded from the index.
    A and C.  An index is required first before searching but is created by the EnCase Evidence Processor and not by an EnScript named Create Index.  Queries are case insensitive, by default, but do have the ability to be case sensitive if preceded by <c>.


    (C7)
  41. 1. When running a signature analysis, EnCase will do which of the following?

    A. Compare a file’s header to its file signature.
    B. Compare a file’s hash value to its file extension.
    C. Compare a file’s header to its hash value.
    D. Compare a file’s header to its file extension.
    D.  A signature analysis will compare a file's header or signature to its file extension.

    (C8)
    (this multiple choice question has been scrambled)
  42. 2. A file header is which of the following?

    A. A 128-bit value that is unique to a specific file based on its data.
    B. Synonymous with file extension.
    C. A unique set of characters following the filename that identifies the file type.
    D. A unique set of characters at the beginning of a file that identifies the file type.
    D.  A file header identifies the type of file and is located a the beginning of the file's data area.

    (C8)
    (this multiple choice question has been scrambled)
  43. 3. The Windows operating system uses a filename’s ______________ to associate files with the proper applications.

    A. MD5 hash value
    B. metadata
    C. extension
    D. signature
    C.  The Windows operating system uses a file's extension to associate the file with the proper application.

    (C8)
    (this multiple choice question has been scrambled)
  44. 4. Unix (including Linux) operating systems use a file’s ______________ to associate file types to specific applications.

    A. metadata
    B. hash value
    C. header
    D. extension
    C.  Unix (including Linux)  operating systems use a file's header information to associate file types to specific applications.

    (C8)
    (this multiple choice question has been scrambled)
  45. 5. The Mac OS X operating system uses which of the following file information to associate a
    file to a specific application?

    A. The “user defined” setting
    B. Filename extension
    C. Metadata (creator code)
    D. All of the above
    D.  When determining which application to use to open a file, Max OS X gives first precedence to "user defined" settings, second precedence to creator code metadata, and third precedence to filename extensions.  If non of these are present, other rules come into play.

    (C8)
  46. 6. Information regarding a file’s header information and extension is saved by EnCase 7 in the _______________ file.

    A. FileHeader.ini
    B. FileExtensions.ini
    C. FileTypes.ini
    D. FileInformation.ini
    C.  Information about a file's header and extension is saved in the FILETYPES.INI file.


    (C8)
    (this multiple choice question has been scrambled)
  47. 7. When a file’s signature is unknown and a valid file extension exists, EnCase will display the following result after a signature analysis is performed.

    A. Unknown
    B. Alias (Signature Mismatch)
    C. Bad Signature
    D. Match
    C.  When a file's signature is unknown and a valid extension is present, EnCase will display the status as being Bad Signature.

    (C8)
    (this multiple choice question has been scrambled)
  48. 8. When a file’s signature is known and the file extension does not match, EnCase will display the following result after a signature analysis is performed.

    A. Alias (Signature Mismatch)
    B. Bad Signature
    C. Match
    D. Unknown
    A. When a file's signature is known and an inaccurate file extension is present, EnCase reports Alias in the Signature Analysis column, displays the true signature in the Signature column, and my update the Category column.

    (C8)
    (this multiple choice question has been scrambled)
  49. 9. When a file’s signature is known and the file extension matches, EnCase will display the following result after a signature analysis is performed.

    A. Unknown
    B. Bad Signature
    C. Match
    D. Alias (Signature Mismatch)
    C. When a file's signature is known and an accurate file extension is present, EnCase will display the result as a Match.

    (C8)
    (this multiple choice question has been scrambled)
  50. 10. When a file’s signature and extension are not recognized, EnCase will display the following result after a signature analysis is performed.

    A. Unknown
    B. Match
    C. Bad Signature
    D. Alias (Signature Mismatch)
    A. When a file's signature and extension are not recognized, EnCase will display the result as Unknown.

    (C8)
    (this multiple choice question has been scrambled)
  51. 11. Can a file with a unique header share multiple file extensions?

    A. Yes
    B. No
    A.  Yes, A unique file header can share multiple file extensions.  An example of such a case is a .jpeg or .jpg file, which shares the same file header.


    (C8)
  52. 12. A user can manually add new file headers and extensions by doing which of the following?

    A. Choosing the File Types view, right-clicking, and selecting New in the appropriate
    B. Manually inputting the data in the FileSignatures.ini file
    C. Right-clicking the file and choosing Add File Signature
    folder
    D. Adding a new file header and extension and then choosing Create Hash Set
    A.  A user can manually add new file headers and extensions by accessing the File Types view and creating a new entry, with new header and extension.

    (C8)
    (this multiple choice question has been scrambled)
  53. 13. Select the correct answer that completes the following statement: An MD5 hash
    _________________.

    A. is a 128-bit value
    B. has odds of one in 2(to the 128th) that two dissimilar files will share the same value
    C. is not determined by the filename
    D. All of the above
    D.  An MD% hash is a 128 bit has value, and the odds of two different files  having the same value is on in 2(to the 128th).  A file's MD5 hash value is based on the file's data area, not its filename, which resides outside the data area.

    (C8)
  54. 14. EnCase can create a hash value for the following.

    A. Physical devices
    B. Logical volumes
    C. Files or groups of files
    D. All of the above
    D.  Encase can calculate hash values for any of the options listed.

    (C8)
  55. 15. With EnCase 7, how many hash libraries can be applied at one time to any case?

    A. Two
    B. Three
    C. One
    D. No limit to the number that can be applied
    A.  EnCase 7 allows two has libraries to be applied to a case at any given time.

    (C8)
    (this multiple choice question has been scrambled)
  56. 16. Will changing a file’s name affect the file’s MD5 or SHA1 hash value?

    A. Yes
    B. No
    B.  No, merely changing a file's name will not affect its MD5 or SHA1 hash value because the hash value is based on the file's data, no its filename.

    (C8)
  57. 17. Usually a hash value found in a hash set named Windows 7 would be reported in the Hash Category column as which of the following?

    A. Evidentiary
    B. Notable
    C. Known
    D. Nonevidentiary
    C.  Known, These hash sets have been produced from known safe sources and are categorized as Known.  In most cases, they are nonevidentiary and can be ignored when conducting searches and other analyses.

    (C8)
    (this multiple choice question has been scrambled)
  58. 18. With regard to hash categories, evidentiary files or files of interest are categorized as which of the following?

    A. Known
    B. Nonevidentiary
    C. Evidentiary
    D. Notable
    D.  Notable, evidentiary files or files of interest are usually categorized as Notable.

    (C8)
    (this multiple choice question has been scrambled)
  59. 19. An MD5 or SHA1 hash of a specific media generated by EnCase will yield the same hash
    value as an independent third-party MD5 or SHA1 hashing utility.

    A. True
    B. False
    A. True, regardless of the MD5 or SHA1 hashing utility, the hash value generated will have the same result, because the MD5 or SHA1 hash is an industry-standard algorithm.

    (C8)
  60. 20. A hash _______ is comprised of hash _______ , which is comprised of hash ______.

    A. library(ies), set(s), value(s)
    B. value(s), sets(s), library(ies)
    C. set(s), values(s), library(ies)
    D. set(s), library(ies), value(s)
    A. A hash library is comprised of hash sets, which are comprised of hash values.

    (C8)
    (this multiple choice question has been scrambled)
  61. 1. An operating system artifact can be defined as which of the following?

    A. Information specific to a user’s preference
    B. Information about the computer’s general settings
    C. Information stored about a user’s activities on the computer
    D. Information used to simplify a user’s experience
    E. All of the above
    E. Operating system artifacts serve as information used by the computer to fulfill certain user and system-specific requirements and needs.

    (C9)
  62. 2. A FAT file system stores date and time stamps in _______ , whereas the NTFS file system stores date and time stamps in _______ .

    A. DOS directory, local time
    B. Local time, GMT
    C. Zulu time, GMT
    D. SYSTEM.DAT, NTUSER.DAT
    B. A FAT file system stores data and time stamps in local time while the NTFS file system stores date and time stamps in GMT.

    (C9)
    (this multiple choice question has been scrambled)
  63. 3. Where does Windows store the time zone offset?

    A. DOS directory or MFT
    B. Registry
    C. INFO2 file
    D. BIOS
    B.  Windows stores the time zone offset in the registry.

    (C9)
    (this multiple choice question has been scrambled)
  64. 4. In Windows 7, the date and time of when a file was sent to the Recycle Bin can be found
    where?

    A. INFO2 file
    B. $I index file
    C. DOS directory
    D. Original filename’s last access date
    B. If it is a Windows Vista (or beyond) Recycle Bin, the date and time when the file was deleted is saved in the $I index file that corresponds with the deleted file.  If it is a pre-Vista operating system, when a file is sent to the Recycle Bin, the date and time of when the file was deleted is saved in the INFO2 file.

    (C9)
    (this multiple choice question has been scrambled)
  65. 5. When a text file is sent a pre–Windows Vista Recycle Bin, Windows changes the short filename of the deleted file to DC0.txt in the Recycle Bin. Select the best choice that explains the deleted filename.

    A. D=DOS, C=character, 0=index number, file extension remains the same
    B. D=DOS, C=drive letter, 0=index number, file extension remains the same
    C. D=deleted, C=drive letter, 0=index number, file extension remains the same
    D. D=deleted, C=character, 0=index number, file extension remains the same
    C.  When a files is sent to the Recycle Bin, Windows changes the short filename to D for Deleted, followed by the drive letter and the index number.  The file extension for the deleted file remains the same.

    (C9)
    (this multiple choice question has been scrambled)
  66. 6. When a document is opened, a link file bearing the document’s filename is created in the ____________ folder.

    A. Temp
    B. Shortcut
    C. Recent
    D. History
    C. When a user opens a document, a link file bearing the document's filename is created in the Recent folder.

    (C9)
    (this multiple choice question has been scrambled)
  67. 7. Link files are shortcuts or pointers to actual items. These actual items can be what?

    A. Programs
    B. Documents
    C. Folders
    D. Devices
    E. All of the above
    E.  Link files are shortcuts to a variety of items such as programs, documents, folders, and devices such as removable media.

    (C9)
  68. 8. In NTFS, information unique to a specific user is stored in the ____________ file.

    A. USER.DAT
    B. NTUSER.DAT
    C. SYSTEM.DAT
    D. None of the above
    B.  In NTFS, information unique to a specific user is stored in the NTUSER.DAT file.

    (C9)
    (this multiple choice question has been scrambled)
  69. 9. In Windows XP, Windows Vista, or Window 7, by default, how many recently opened
    documents are displayed in the My Recent Documents or Recent Items folder?

    A. 4
    B. 12
    C. 15
    D. Unlimited
    C.  By default, the My Recent Documents folder displays 15 recently opened documents; however, the actual folder may contain hundreds more.

    (C9)
    (this multiple choice question has been scrambled)
  70. 10. Most of a user’s desktop items on a Windows 7 operating system would be located in the________________________ directory.

    A. C:WINDOWSDesktop
    B. C:WinNTDesktop
    C. C:WINDOWSSystem32configDesktop
    D. C:Users%User%Desktop
    D. A specific user's desktop items are located in the path C;\Users\%User%\Desktop in a Windows 7 operating system.

    (C9)
    (this multiple choice question has been scrambled)
  71. 11. Because this file will hold the contents of RAM when the machine is powered off, the
    ____________ file will be the approximate size of the system RAM and will be in the root
    directory.

    A. WIN386.SWP
    B. NTUSER.DAT
    C. PAGEFILE.SYS
    D. hiberfil.sys
    D.  When the system goes into hibernation, the contents of RAM are written to the file hiberfil.sys which is the exact size of RAM and located in the root of the system drive.

    (C9)
    (this multiple choice question has been scrambled)
  72. 12. Where can you find evidence of web-based email such as from MSN Hotmail or Google Gmail on a Windows system?

    A. In Temporary Internet Files under Local Settings in the user’s profile
    B. In Unallocated Clusters
    C. In the pagefile.sys file
    D. In the hiberfil.sys file
    E. All of the above
    E.  Evidence of web-based email is commonly viewed by not saved.  Therefore, its contents may be found in the Temporary Internet Files folder, Unallocated Clusters, or the pagefile.sys and hiberfil.sys folders.

    (C9)
  73. 13. Filenames with the .url extension that direct web browsers to a specific website are normally located in which folder?

    A. Cookies folder
    B. History folder
    C. Send To folder
    D. Favorites folder
    D.  The Favorites folder contains link files that direct the browser to certain websites.  These link files usually have a name that describes the website followed with the .url extension.

    (C9)
    (this multiple choice question has been scrambled)
  74. 14. Data about Internet cookies such as URL names, date and time stamps, and pointers to the actual location of the cookie is stored where?

    A. EMF file
    B. INFO2 file
    C. index.dat file
    D. pagefile.sys file
    C. Information about an Internet cookie such as the URL name, date and time stamps, and pointers to the actual cookie are stored in the index.dat file.

    (C9)
    (this multiple choice question has been scrambled)
  75. 15. On a Windows 98 machine, which folder is the swap or page file contained in?

    A. pagefile.sys
    B. swapfile.sys
    C. WIN386.SWP
    D. page.swp
    C.  The swap file saved as WIN386.SWP in a Windows 98 machine and as pagefile.sys in Windows XP and newer.

    (C9)
    (this multiple choice question has been scrambled)
  76. 16. When you are examining evidence that has been sent to a printer, which file contains an image of the actual print job?

    A. The Enhanced Metafile (EMF)
    B. The spool file
    C. The shadow file
    D. The RAW file
    B.  The .sp, or spool, file contains an image of what is sent to the printer to be printed.

    (C9)
    (this multiple choice question has been scrambled)
  77. 17. The two modes for printing in Windows are ____________ and ____________ .

    A. spooled, EM
    B. spooled, shadowed
    C. spooled, direct
    D. EMF, RAW
    D.  The two printing modes in Windows are RAW and EMF.


    (C9)
    (this multiple choice question has been scrambled)
  78. 18. Although the Windows operating system removed the EMF file upon a successful print job, the examiner may still recover the file as a result of a search on its unique header information in areas such as Unallocated Clusters or the swap file.

    A. True
    B. False
    A. True, Even though Windows deletes the EMF file after a print job has been completed, EnCase may still be able to recover the file by doing a search of its unique header information.

    (C9)
  79. 19. The index.dat files are system files that store information about other files. They track date and time stamps, file locations, and name changes. Select the folder that does not contain an index.dat file.

    A. Cookies
    B. Recycle Bin
    C. History
    D. Temporary Internet Files
    B.  The Recycle Bin does not contain an index.dat file; in Windows 2000/SP, it contains the INFO2 file.

    (C9)
    (this multiple choice question has been scrambled)
  80. 20. The Temporary Internet Files directory contains which of the following?

    A. Web page files that are cached or saved for possible later reuse
    B. An index.dat file that serves as a database for the management of the cached files
    C. Web mail artifacts
    D. All of the above
    D. The Temporary Internet Files directory contains all the previously mentioned items.

    (C9)
  81. 1. How many sector(s) on a hard drive are reserved for the master boot record (MBR)?

    A. 1
    B. 4
    C. 16
    D. 62
    E. 63
    E.  The first 63 sectors of a hard drive are reserved for the MBR even though its contents are contained in the very first sector.

    (C10)
    (this multiple choice question has been scrambled)
  82. 2. The very first sector of a formatted hard drive that contains an operating system is referred to as which of the following?

    A. Absolute sector 0
    B. Boot sector
    C. Containing the master boot record (MBR)
    D. All of the above
    D.  The first sector of a formatted hard drive with an operating system is referred to as a boot sector, which contains the MBR and is located at absolute sector 0.

    (C10)
  83. 3. How many logical partitions does the partition table in the master boot record allow for a physical drive?

    A. 24
    B. 2
    C. 4
    D. 1
    C.  The partition table allows for four logical partitions.  It consists of 64 bytes, and each of the four partitions is described by a 16 byte string.

    (C10)
    (this multiple choice question has been scrambled)
  84. 4. The very first sector of a partition is referred to as which of the following?

    A. Active primary partition
    B. Physical sector 0
    C. Volume boot record
    D. Master boot record
    C.  The first sector of a partition contains the volume boot record.

    (C10)
    (this multiple choice question has been scrambled)
  85. 5. If a hard drive has been fdisked, EnCase can still recover the deleted partition(s), if you point to the _________ and select Add Partition from the Partition menu.

    A. unallocated space
    B. volume boot record
    C. partition table
    D. master boot record
    B. Encase can still recover deleted partitions if you point to the first sector of the partition, which is the volume boot record, and select the Add Partition command from the Partition menu.

    (C10)
    (this multiple choice question has been scrambled)
  86. 6. In an NTFS partition, where is the backup copy of the volume boot record (VBR) stored?

    A. In the partition table.
    B. The last sector of the partition.
    C. An NTFS partition does not store a backup of the VBR.
    D. Immediately after the VBR.
    B. When a hard drive is formatted with an NTFS partition, a backup of the VBR is stored in the last sector of the partition.

    (C10)
    (this multiple choice question has been scrambled)
  87. 7. EnCase can mount a compound file, which can then be viewed in a hierarchical format.
    Select an example of a compound file.

    A. Registry file (that is, .dat)
    B. Email file (that is, .edb, .nsf, .pst, .dbx)
    C. Compressed file (that is, .zip)
    D. Thumbs.db
    E. All of the above
    E.  These file types are all examples of compound files that EnCase is able to display their contents in a hierarchical format.

    (C10)
  88. 8. Windows 7 contains two master keys in its registry. They are HKEY_LOCAL_MACHINE and which of the following?

    A. HKEY_CURRENT_USER
    B. HKEY_CURRENT_CONFIG
    C. HKEY_CLASSES_ROOT
    D. HKEY_USERS
    D.  The other master key is HKEY_USERS.  The other choices are derived keys that are linked to keys within the two master keys.

    (C10)
    (this multiple choice question has been scrambled)
  89. 9. In Windows 7, information about a specific user’s preference is stored in the NTUSER.DAT file. This compound file can be found where?

    A. C:\Documents and Settings\All Users\Application Data
    B. C:\Users\username
    C. C:\
    D. C:\WINDOWS
    B.  Each time a profile or username is created, the NTUSER.DAT file is also created for the specific profile.  This compound file is stored locally in the root of C:\Users\%USERNAMES%.

    (C10)
    (this multiple choice question has been scrambled)
  90. 10. In an NTFS file system, the date and time stamps recorded in the registry are stored where?

    A. Local time based on the BIOS settings
    B. GMT and converted based on the system’s time zone settings
    B.  In an NTFS file system, the date and time stamps recorded in the registry are recorded in GMT, which is then displayed in local time based on the system's time zone setting.

    (C10)
  91. 11. EnScript is a proprietary programming language and application programming interface (API) developed by Guidance Software, designed to function properly only within the EnCase environment.

    A. True
    B. False
    A.  True - Since EnScript is a proprietary programming language, it is designed to function properly only in the EnCase environment.

    (C10)
  92. 12. Since EnScript is a proprietary programming language developed by Guidance Software, EnScripts can be created by and obtained only from Guidance Software.

    A. True
    B. False
    B.  False - Although EnScript was developed by Guidance Software, anyone with computer programming skills and knowledge of the programming language can develop their own EnScripts.

    (C10)
  93. 13. Filters are a type of EnScript that “filters” a case for certain file properties such as file
    types, dates, and hash categories. Like EnScripts, filters can also be changed or created by a user.

    A. True
    B. False
    A.  True - Since filters are in essence EnScripts, any user can modify an existing filter or create their own.

    (C10)
  94. 14. Select the type of email that EnCase 6 is not capable of recovering.

    A. Microsoft Outlook
    B. AOL
    C. Microsoft Outlook Express
    D. Lotus Notes and Microsoft Exchange Server
    E. None of the above
    E.  EnCase 7 can recognize and parse all these types of emails.

    (C10)
  95. 15. Which method is used to view the contents of a compound file that contains emails such as a PST file in EnCase 7?

    A. Both A and B.
    B. Run Find Email from within the EnCase Evidence Processor.
    C. Select View File Structure from the Entries options.
    D. None of the above.
    A.  EnCase 7 allows the user to view the contents of compound files containing emails either by selecting View File Structure or by running Find Email from within the EnCase Evidence Processor.  While both will allow viewing the compound file, per se, only the later method will send the output to the Records view.

    (C10)
    (this multiple choice question has been scrambled)
  96. 16. EnCase 7 cannot process web-based email such as MSN Hotmail or Yahoo! Mail because the information can be found only on the mail servers.

    A. True
    B. False
    B.  False, Contents of web-based emails may reside in areas such as Temporary Internet History, cache (pagefile.sys), hiberfil.sys, and unallocated clusters.  Using the web mail finder option from the File Carver, EnCase can locate web mail fragments.

    (C10)
  97. 17. The EnCase Decryption Suite (EDS) will not decrypt Microsoft’s Encrypting File System (EFS) on the ___________ operating system.

    A. Windows 2000 Professional and Server
    B. Windows XP Professional
    C. Windows 2003 Server
    D. Windows 7 Home Edition
    D.  Microsoft Windows 7 Home Edition does not include the EFS feature nor does it support BitLocker.

    (C10)
    (this multiple choice question has been scrambled)
  98. 18. At which levels can the VFS module mount objects in the Windows environment?

    A. The case level
    B. The disk or device level
    C. The volume level
    D. The folder level
    E. All of the above
    E.  The VFS module can also mount data at the case, disk or device, volume, and folder levels.

    (C10)
  99. 19. The Physical Disk Emulator (PDE) module is similar to the Virtual File System (VFS); the
    module can mount a piece of media that is accessible in the Windows environment. Select the type(s) of media that the Physical Disk Emulator cannot mount.

    A. Folders
    B. Cases
    C. Volumes
    D. Physical disks
    E. Both A and B
    E.  The Physical Disk Emulator can mount volumes and physical disks in the Windows environment; however, it does not mount cases or folders.

    (C10)
    (this multiple choice question has been scrambled)
  100. 20. The Virtual File System (VFS) module mounts data as _______, while the Physical Disk Emulator (PDE) module mounts data as _______.

    A. emulated disk, network share
    B. virtual file, physical disk
    C. network share, emulated disk
    D. virtual drive, physical drive
    C.  When a user selects the VFS module, EnCase will prompt the user with a Mount As Network Share dialog box.  When a user selects the PDE module, EnCase will prompt the user with a Mount As Emulated Disk dialog box.

    (C10)
    (this multiple choice question has been scrambled)

What would you like to do?

Home > Flashcards > Print Preview